Politecnico di Torino (logo)

DevSecOps pipelines improvement: new tools, false positive management, quality gates and rollback

Giovanni Bernardo

DevSecOps pipelines improvement: new tools, false positive management, quality gates and rollback.

Rel. Riccardo Sisto. Politecnico di Torino, Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering), 2022

PDF (Tesi_di_laurea) - Tesi
Licenza: Creative Commons Attribution Non-commercial No Derivatives.

Download (3MB) | Preview

DevSecOps, as extension of the DevOps paradigm, allows to integrate security inside applications and infrastructures from the beginning of the development, and to automate these security control activities. This development practice decreases the time necessary to make security checks, avoiding a ping-pong effect between developers and analysts, and allowing to save resources. A powerful DevSecOps instrument is the CI/CD pipeline: a sequence of steps that provides Continuous Integration (CI) and Continuous Delivery (CD), introducing automated security monitoring and providing a way to optimize the application development process. The objective of this thesis is the improvement of already existent DevSecOps pipelines orchestrated by Jenkins, focusing: on the introduction of new tools, on the management of false positives and on the introduction of quality gates and rollback functionalities. In this scenario cloud related technologies such as Docker and Kubernetes are used, with the purpose of hosting applications and tools. After a brief introduction about DevSecOps, about pipelines and about the different kinds of analysis, the first part of the thesis analyses basic tools initially suggested by the company and then the newly discovered ones. There are tools for static analysis (SAST, SCA, Container security) based on a white-box approach, tools for dynamic analysis based on a black-box approach and a IAST tool that works in a grey-box mode. The second part examines how false positives can be managed in DependencyCheck and ZAP. The choice of these two tools is given by the fact that they are already used in the company pipelines. Nevertheless, a third solution using DefectDojo has been designed, in order to be more general and applicable also to other tools. The third section describes how to implement a quality gate for ZAP and a quality gate suitable when a Vulnerability Management Tool, such as DefectDojo, is used. A topic strictly related to quality gates is the rollback of an application, also covered in this section, which introduces a possible scenario where an application running on a Kubernetes cluster is classified as not secure through a quality gate, and for this reason it is necessary to perform a rollback: stop of the newer running version and re-start of the older and secure one. In the last section, previously found and tested tools are evaluated and compared. Each kind of instrument is compared separately: SAST tools are compared through a benchmark, Container security tools through the reports generated on public docker images, SCA tools through the reports generated on public projects, while DAST tools comparison is based on the analysis of vulnerable applications. With regards to IAST tools, just one instrument of this type have been found and tested. Given the lack of competitors, a real comparison was thus not possible, but an overview about how this tool works is submitted nevertheless. It is meaningful to say that no suitable benchmarks other than "OWASP Benchmark" have been found, and that this last point of the work takes into account, for the most part, only the total number of found vulnerabilities, without identifying the percentage of false positives.

Relators: Riccardo Sisto
Academic year: 2022/23
Publication type: Electronic
Number of Pages: 94
Corso di laurea: Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering)
Classe di laurea: New organization > Master science > LM-32 - COMPUTER SYSTEMS ENGINEERING
Aziende collaboratrici: Blue Reply Srl
URI: http://webthesis.biblio.polito.it/id/eprint/24510
Modify record (reserved for operators) Modify record (reserved for operators)